I have a few servers with numerous sites and I got tired of manually checking each site to see if it is using Kerberos or NTLM. I had to look up the site ID and then run

cscript adsutil.vbs get w3svc/<ID>/NTAuthenticationProviders

I figured there had to be a better way since this was getting tiring,
especially since the IDs are goofy numbers. I decided to try to automate it
and I came up with this script.

for /F "tokens=2 delims=/][" %i in ('cscript adsutil.vbs enum w3svc /P ^| findstr [0-9][0-9]') do @echo %i && @cscript adsutil.vbs get w3svc/%i/NTAuthenticationProviders | findstr NTAuthenticationProviders

Lets break it down into its bits.

The script runs csript adsutil.vbs enum w3svc /P which enumerates the sites and gives us this output:

[/w3svc/1]
[/w3svc/1108215390]
....
[/w3svc/729050872]
[/w3svc/AppPools]
[/w3svc/Filters]
[/w3svc/Info]

We don't care about the last three items so we use findstr to only give us results with two numbers, we can't just look for one number since it would match on w3svc.

The surrounding For loop will break up the output using the delimiters ], [, and / which will give us two tokens (ws3svc and the site id). The tokens=2 options gives us access to just the site id (the second token) in our loop. The portion after 'do' is pretty straight forward and echos the site id and then runs the command to get the authentication providers. We use the findstr again to get rid of all the junk we don't need.

We can also use a similar script to enable Kerberos:

for /F "tokens=2 delims=/][" %i in ('cscript adsutil.vbs enum w3svc /P ^| findstr [0-9][0-9][0-9]*') do @echo %i && @cscript adsutil.vbs set w3svc/%i/NTAuthenticationProviders "Negotiate,NTLM"